Headline
CVE-2020-7246
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users[‘photop_preview’] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
Related news
qdPM 9.1 Remote Code Execution
qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.